Microsoft oauth email sending issue in entra admin center

Question

as i need to send email from microsoft o behalf of user who gave me mail sending permission below are the steps which i have followed

1. created application in entra.microsoft.com
2. added platform configuration as web and SPA
3. Added permission for profile and mail for both application and delegated.

Now on code side followed below steps

4. called below api from browser

https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize?client_id={client_id}&response_type=code&redirect_uri=http://localhost:3000&response_mode=query&scope=User.Read Mail.Read Mail.Send openid profile offline_access

5. then getting code in query parameter
   
   
6. used that code from step 5 in below API
   

https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
where below is body in x-www-form-urlencoded format
client_id, scope=User.Read Mail.Read Mail.Send openid profile offline_access, code, redirect_uri, grant_type= authorization_code, client_secret.

in resopnse i am getting

token_type,scope,expires_in,ext_expires_in,access_token,refresh_token,id_token.

7. Now i am using access_token from step 6 to send mail with below api
   https://graph.microsoft.com/v1.0/users/" + fromEmailAddress + "/sendMail

but it always says

{ "error": { "code": "ErrorInvalidUser", 
"message": "The requested user is invalid." }

Below are the images for my application on entra admin of microsoft
can someone help me to solve this issue
or suggest me proper way to perform this task
Thanks in advance

Answer 1

The error "The requested user 'UPN' is invalid" usually occurs if you are generating access token for single tenant and passing other tenant or Microsoft account user to send mail.

I generated auth-code by using below endpoint:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=User.Read Mail.Read Mail.Send openid profile offline_access
&state=12345

Generated access token by using parameters like below:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
scope:User.Read Mail.Read Mail.Send openid profile offline_access
code:code
redirect_uri:https://jwt.ms
grant_type:authorization_code
client_secret:ClientSecret

When I tried to send mail with another tenant/Microsoft account user, got the same error as below:

To resolve the error, make sure to pass the user is residing in your tenant by executing the query GET https://graph.microsoft.com/v1.0/users

• Otherwise, if you want to pass another tenant user, register application as multitenant and use organizations endpoint to generate code and access token.
• If you want to pass any other tenant user or Microsoft account user then register application by selecting "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts" and use common endpoint.
• Make sure the user has required license to send mail

Now to send mail, I passed the user in the Azure AD tenant, and I am able to send mail successfully like below:

POST https://graph.microsoft.com/v1.0/users/user@xxx.onmicrosoft.com/sendMail

{
"message": {
"subject": "Meet for lunch?",
"body": {
"contentType": "Text",
"content": "The new cafeteria is open."
},
"toRecipients": [
{
"emailAddress": {
"address": "user2@xxx.onmicrosoft.com"
}
}
]
},
"saveToSentItems": "false"
}